Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

WillgasM writes "Changing your IP address or using proxy servers to access public websites you've been forbidden to visit is a violation of the Computer Fraud and Abuse Act, according to a judge's broad ruling (PDF) during a case on Friday involving Craigslist and 3taps. Opponents argue that this creates a slippery slope that many unsuspecting web users may find themselves upon. With your typical connection being assigned an address dynamically, is an IP ban really a 'technological barrier' to be circumvented? How long until we see the first prosecution for unauthorized viewing of a noindex page?"
Probably a long time; the judge in the case rejected the slippery slope argument: 'There, and sprinkled throughout its earlier, ostensibly text-based, arguments, 3taps posits outlandish scenarios where, for example, someone is criminally prosecuted for visiting a hypothetical website www.dontvisitme.com after a "friend" — apparently not a very good one — says the site has beautiful pictures but the homepage says that no one is allowed to click on the links to view the pictures. Needless to say, the Court’s decision [regarding 3taps' actions]... does not speak to whether the CFAA would apply to other sets of facts where an unsuspecting individual somehow stumbles on to an unauthorized site.' Willful evasion of blocks for commercial gain, on the other hand ...

The company knew they were banned, because Craigslist had sent them a cease and desist letter. Blocking their IP address range was just an enforcement measure, but the ban was against the company, not the IP address range.

The article states: "3taps drew Craigslist's ire by aggregating and republishing its ads, so Craigslist sent a cease-and-desist letter telling the company not to do that. Craigslist also blocked IP addresses associated with 3taps' systems."

However, a brief glance at their website (unless they changed things that quickly) does not show anything of this sort.

Does anyone have a screenshot from earlier, with the offending material?

There is no trespassing if is a public place, you can block a person, but not the direction from which is coming. Is like not forbidding you specifically, but putting a barrier in a street of the city that is between your home and that public place, and put you in jail if you take another route to get there, there is always another way to get in, and you have the right to go anywhere in the city.

But more important, real world analogies specifically in a point where internet diverges from the real world (

Say what?? That makes it a publicly accessible private place, which is far different from a public place. And being a private place, they are perfectly free to restrict who uses it, authorization required or not.

That isn't a bad analogy, except that it assumes a single access point. On the Internet, every URL is an access point. It turns out there is a way to do the equivalent of posting a similar sign on every entry point, and that is an authorization mechanism. Google does this with gmail, etc. for example. Craigslist doesn't do this, so they have no leg upon which to stand. This means of course that the judge is a misinformed idiot, but that should come as no surprise to anyone on Slashdot.

Wrong, wrong, wrong. Authorization is a property, not a technical control. No, everybody does NOT access the site 'without authorization', because the site owner has implicitly given authorization to the general public. That in no way prevents him from revoking that authorization from specific people.

You have not given a single reason that the analogy is incorrect, other than that you apparently wish it were.

Do you require explicit 'authorization' to enter a Walmart? Does Walmart check the ID of each pe

What do you think happens when you go to a website? Too stupid to know? OK, I'll tell you: you use their servers. There is NO WAY that you are looking at ANYTHING on Craigslist, or any other website, without using their property.

What part of the Internet don't you understand? You're making a direct analog between meat-space and cyberspace where it doesn't work.

If I look at a Wal-Mart entrance from off their property, I am standing there being passive. I'm just receiving and interpreting large numbers of photons that go from the entrance to my eyes. I might be doing this even if I have no desire to look at a Wal-Mart. If I look at a web page, I'm sending a HTTP request to the appropriate server, and expecting to have that ser

The open internet, is, by definition, a public place, any place that you can access without a login and password are the digital equivalent of a public place, anyone can visit it. If you put "fences", require user/password to access certain pages, that would be the private places, and there you can say "ok, you can't enter", but for places where everyone, even in an anonymous way can enter, is at the very least harder if not impossible (if you can't use proxy for your fixed IP office connection, can go to

Hold on now. The internet is full of businesses and individuals with websites that they run and maintain it's not run by the city, state, or parks and recreation. Trust me if you park your car on my front lawn I'll have you towed and the fact that it's not fenced in means nothing it's still private property.

Now here is what you have a business Craig's list and a third party 3taps standing in the parking lot giving out fliers with the Craig's list ads and their competitors ads. They sent them written notice

Let's say I am watching a baseball game in one of these Chicago buildings just outside Wrigley Field. The Cubs decide they don't want us to watch the ballgame for free anymore so they block our view by putting a tarp or building a new scoreboard. According to this ruling it would be illegal tresspass for us to find another, maybe taller building from where to keep watching...

Uh, no. When you access a website you are using the web site owners property (the server). When you are watching a ballgame from outside the stadium you are not using their property. I can not tell you where not to look, but I sure as hell can tell you to stay off my property.

So, to fix your very flawed analogy, it is more like 'I got caught using a hole in the fence to get into Wrigley Field. They told me not to do that anymore, and fixed that hole in the fence. According to this ruling it would be ill

Being banned from a site is no different from being banned from a physical location. The security is week. You can come up with hypothetical around wearing a mask into the store. Someone comes into a store wearing a mask and is confused for a criminal. But at the end of the day, if a person tells you go away and you don't, judges are not going to be sympathetic.

It's more like this: You go to a store, harass employees and get banned. Security is told not to let that guy in the Slayer shirt back into the store. You then go out to your car, change shirts, and back in past the security guard and start harassing employees again. I'm all for charging you with harassment and trespassing, but it's still not illegal to change your shirt.

Computer Fraud and Abuse Act is the trespassing charge. Perhaps website trespassing needs to be seperated out into its own thing. Lumping it in with theft of data and corporate sabotage is a bit unfair.

Agreed. If they want to argue that accessing the site was illegal because of the C&D letter, then that's fine. The method of accessing it shouldn't be criminalized. If CL had never even instituted an IP ban and 3taps kept doing what they were doing, it should have made no difference to this case. If I post no trespassing signs but leave the gate open, it's still trespassing. This ruling sets an unnecessary and dangerous precedent.

What is the precendent? The ruling does not say that changing your IP address is a violation. The only reason the IP address change is important is because that is shows the defendant intentionally accessed the site after they were told not to. The first words of the CFAA are 'whoever having knowingly...'. They got a C&D letter, they had their IP blocked, so the changed their IP to get around the block. Kind of hard at that point to claim you didn't know you were not authorized.

I guess. So long as it's only used to establish intent to access the system and there's other evidence to prove you weren't authorized. I just fear that our tech illiterate judges will come to interpret an IP block as a revocation of authorization in and of itself. Boils back down to "I am not my IP"

You cannot steal that which is freely given. Since craigslist immediately serves up its content to anyone who goes to their URL, you cannot claim it is not freely given. If they want it to be otherwise, they need to require authorization. It isn't as though this technology isn't readily available and easy to implement.

So we already agree that it isn't unauthorized access (you are already further ahead of the game than most; congratulations.) It would be copyright infringement, except they don't own any copyright on what I post..

". The users who posted the ad gave license to Craigslist to publish the ad freely (via T&C's) but not to this third-party."

No. They do no such thing. I just posted an ad, and they don't even ask you to agree to a TOS before posting, nor do they have a notice assigning your copyright to them

I just clicked on the link and the E-Mail, and they do in fact require acceptance of a TOS to post, but they do not require an transfer of copyright. They merely say this:

"You automatically grant and assign to CL, and you represent and warrant that you have the right to grant and assign to CL, a perpetual, irrevocable, unlimited, fully paid, fully sub-licensable (through multiple tiers), worldwide license to copy, perform, display, distribute, prepare derivative works from (including, without limitation, i

Technically you could do that, but nobody did that. As you rightly point out, the person who owns the copyright is the poster, and they would have to complain. Of course, this is where craigslist and the posting person are at odds, since the posting person wants their ad seen by as many people as possible. It is to their advantage to have it replicated.

You also expressly grant and assign to CL all rights and causes of action to prohibit and enforce against any unauthorized copying, performance, display, distribution, use or exploitation of, or creation of derivative works from, any content that you post (including but not limited to any unauthorized downloading, extraction, harvesting, collection or aggregation of content that you post).

They offer that "service" for free. It's to the user's advantage to have their ad plastered all over the web, but they could still implicitly accept a contract that waives that. And not everyone necessarily wants their ad elsewhere.

You must be reading what you wrote differently than I am. I don't see the word court in either of our posts. I thought by "Nobody did that" you were referring to "an individual can "hire" Craigslist to police your copyrighted ad for you"

Authorization means that the owner has given you permission. Period. It has NOTHING to do with technical controls. The means of notification of authorization (or lack thereof) are immaterial. As soon as they received the C&D letter they were unauthorized and knew it. Stop pretending it is otherwise.

You cannot steal that which is freely given. Since craigslist immediately serves up its content to anyone who goes to their URL, you cannot claim it is not freely given. If they want it to be otherwise, they need to require authorization. It isn't as though this technology isn't readily available and easy to implement.

That's the geek speaking, confusing authorisation via some computer-implemented authorisation mechanism with legal authorisation. On a website like craigslist with no computer-implemented authorisation mechanism that keeps you out, you can assume that you have the legal authorisation to visit the site. Until you get violently kicked out, like in this case via a court order. Then you have no legal authorisation anymore. Whether the security mechanism employed are strong or weak, you have no authorisation.

No. The judge is an ignorant moron who doesn't understand technology. The legal authorization part is a non-issue since there is no law in place which correctly addresses it. Since the laws were written by the ignorant they have zero applicability. For example, the judge explicitly points out: "But it (the law) does not answer the question here, which is whether Craigslist had the power to revoke, on a case-by-case basis, the general permission it granted to the public to access the information on its we

Craigslist cannot tell a single person or company that they cannot look at their freely available data they serve to the world through a cease and desist letter any more than I can send a letter telling one of my neighbors that they are hereby forbidden to look through my open windows.

But you can get a court to tell a neighbor they are forbidden to be within 500 yards of your windows. It's called a restraining order. If 3taps had a restraining order from visiting the Craigslist site would that make more sense to you?

It might, but they don't have any such order. A cease and desist letter is not such a court order. In order to get said restraining order you would have to appear in court and show cause. This didn't happen. When the neighbor did show up in court complaining "he is looking in my window and taking pictures", no such order would be granted. The judge would tell you to keep your blinds closed if you don't want him looking in. You did know that in order to get a restraining order you need to show that you

But isn't a cease and desist still a court order? So if a person has a restraining order, then it's ok for them to come look in the windows anyway? You have me confused here. To me it seems that they broke a court order telling them not to do what they did, and they did it anyway. And that sounds similar to someone having a restraining order that came to the sidewalk in front of your house anyway.

No. You are missing two points. The first and most important is that there is no analog in meat space. Every analogy you or I try to make will be broken. The judge failed at his job because he doesn't understand this important point. The second is that, to the extent that all models are broken but some are useful, no "restraining order" was issued prior to the judges ruling, and there is no cause for such an order.. A cease-and-desist letter is not a court order. It is a letter from a craigslist law

Ok, good point. C&D is only from the lawyer not from a court. If a court had told 3tap to stop then I would think they were completely in the wrong. Since it was only Craigslist telling them to stop it is a little more murky. Doesn't a business have the right to refuse service, even if it's a store that is open to the public. Kinda sounds like that maybe. I don't like the misuse of the CFAA and the precedent it sets to be used in any case where someone changes their IP or breaks a stupid TOS or whatever

Now the problem gets even more murky. As a craigslist poster I have contracted with them to make my content available to the world. I have also agreed that they may, on my behalf, aggressively pursue any copyright infringement. Here is the problem: I own the copyright, not craigslist. I merely granted them a license to use/copy my content. I didn't send a cease-and-desist to anyone. In fact, when craigslist tries to stop anyone from accessing my content they are violating their contract with me!

No, the judge explicitly cites the C&D as part of the evidence that 3Tap was on notice that they no longer had authorization to access the site. From the the opinion

The notice issue becomes limited to how clearly the website owner communicates the banning. Here, Craigslist affirmatively communicated its decision to revoke 3Tapsâ(TM) access through its cease-and-desist letter and IP blocking efforts. 3Taps never suggests that those measures did not put 3Taps on notice that Craigslist had banned 3Tap

The way the opinion is structured, neither the IP ban nor the C&D letter does enough work by itself. The former does not by itself provide the target with sufficient notice that their conduct is no longer authorized, while the latter doesn't provide the sort of technological barrier (albeit weak) that is circumvented.

The two work together in concert, each providing an element of the crime that the other lacks.

If I put up a web site that forbid anyone working for or on behalf of any TLA or law enforcement agency from accessing any publically accessible content on my site could I use CFAA against the government when they ignore my wishes and suck the whole thing into a NSA database?

If I put up a web site that forbid anyone working for or on behalf of any TLA or law enforcement agency from accessing any publically accessible content on my site could I use CFAA against the government when they ignore my wishes and suck the whole thing into a NSA database?

If I put up a web site that forbid anyone working for or on behalf of any TLA or law enforcement agency from accessing any publically accessible content on my site could I use CFAA against the government when they ignore my wishes and suck the whole thing into a NSA database?

No. Governments can do almost everything the laws it imposes say citizens (subjects?) cannot do. That's the point of a government, to be the single exception to the rule so that it can impose the rule on everyone else. Also, when the government promises it won't do something that isn't really binding. Sure, some of the time they'll more or less try, without much emphasis and only if they're feeling like it, most of the time however it'll be like that Star Wards exchange between Lando and Darth Vader:

If I put up a web site that forbid anyone working for or on behalf of any TLA or law enforcement agency from accessing any publically accessible content on my site could I use CFAA against the government when they ignore my wishes and suck the whole thing into a NSA database?

Now, if you gave notice to the individual agencies that they weren't welcome and instituted a technological control measure to block them from accessing it and they circumvented that block, then it would fall within

It's interesting because in the earliest days of the net dubious sites with porn on them often sported 'NO entry for police' notices. They've now gone out of fashion, but it appears that this ruling may enable them to have a legal effect, which given the significance of due process in US jurisprudence, could be huge.

You cannot prosecute the government itself for a crime. You'd have to press charges against a John Doe. Private citizens cannot prosecute federal crimes against anyone, that's the job of the US district attorneys.

The feds would have to investigate, the feds would have to subpoena the feds to find out whodunit, the feds would have to prosecute them, and the feds would have to fight the feds fighting it every step of the way on grounds of state secrets.

"3taps Statement Regarding craigslist’s Misuse of the CFAAAt craigslist’s urging, a federal court has recently interpreted the Computer Fraud and Abuse Act (CFAA), known as the “worst law in technology,” to apply when an owner of a public website decides that it no longer wants an Internet user accessing its website. The court held that “the statute protects all information on any protected computer accessed ‘without authorization’ and nothing in that language prohibits a computer owner from selectively revoking authorization to access its website.” Order at 12. 3taps is obviously disappointed in the Judge’s ruling and believes that by making public information publicly available on the Internet, without a password, firewall, or other similar restriction, craigslist has authorized, and continues to authorize, everyone to access that information. 3taps believes that the CFAA was meant to protect private and confidential information and that it was never meant to be used to selectively criminalize accessing public websites and obtaining the public information found on those sites. Importantly, the Court noted that the “current broad reach of the CFAA may well have impacts on innovation, competition, and the general ‘openness’ of the internet . . . but it is for Congress to weigh the significance of those consequences and decide whether amendment would be prudent.” Order at 12. 3taps continues to urge Congress to clarify the scope of the CFAA so that companies like craigslist cannot use it as a tool to stifle competition, innovation, and access to public websites.While we disagree with the Court’s interpretation of the CFAA, we of course respect the Court’s ruling. Accordingly, 3taps will adhere to the current interpretation of the law and will immediately cease all access to craigslist’s servers. (Significantly, 3taps only began accessing craigslist’s servers because, as alleged in 3taps’ antitrust counterclaim, craigslist interfered with 3taps’ ability to source content through general search engines.)Although craigslist may use the CFAA as currently interpreted to prevent 3taps from accessing its servers, 3taps can continue to function because directly accessing these servers is only one of three ways in which the information in question can be obtained. The other two, crowdsourcing and public search results, require no such access to craigslist’s servers and thus obviate the need to engage in conduct that may implicate the CFAA.Going forward, 3taps will operate based on its understanding that if it does not access craigslist’s servers, it has a right to collect public information originally posted on craigslist’s website. In particular, 3taps reasserts four fundamental points:
3taps does not now scrape craigslist’s servers, and therefore, cannot be in violation of the CFAA.
3taps' indexing and caching of exchange posting data reduces (rather than increases) the net computing resources expended by craigslist and other publishers to deliver complex search results to end users.
As the Court previously held, craigslist cannot rely on its current Terms of Use to claim the right to enforce copyrights associated with user-generated ads posted on its website.

The United States Patent and Trademark Office recently confirmed that craigslist cannot trademark a peace sign – even if that peace sign is purple. See http://ttabvue.uspto.gov/ttabvue/ttabvue-77956067-EXA-24.pdf [uspto.gov]. 3taps and others cannot be harassed for using the peace sign to indicate where information was sourced.3taps will hold a public event to demonstrate to any interested party that it is possible (despite assertions to the contrary) to obtain public information on the Internet without reliance on accessing a particular source website. 3taps believes that, by no

Wah wah they told us we couldn't load their servers with screen-scraper shit and sent us legal threats and official notarized C&Ds, and we did it anyway by changing an IP address--a normal thing that users can do even without realizing it--and the judge got pissed at us! I mean how is this different than changing our clothes before walking back into a store we're banned from for harassing the staff?! Are they going to arrest us for changing our clothes now?!

3taps [...] believes that by making public information publicly available on the Internet, without a password, firewall, or other similar restriction, craigslist has authorized, and continues to authorize, everyone to access that information.

This sounds plausible until you realize the subtle trick they are pulling in conflating the information itself with the instance of the information stored on CL servers. 3T does, in fact, have every right to access and publish that information. What they do not have is

3taps is obviously disappointed in the Judge's ruling and believes that by making public information publicly available on the Internet, without a password, firewall, or other similar restriction, craigslist has authorized, and continues to authorize, everyone to access that information.

I'll admit I didn't read the *entire* post, but the "without... firewall" part stuck out to me.

Craigslist put an IP block in place against 3taps. Whether it was with a firewall like iptables or whether it was enacted within the Craigslist software, it seems 3taps' argument has fallen apart already. There was, for all intents and purposes, a firewall in place to block them.

When judges write their rulings -- or rather their employees write their rulings -- the document may go onto a few peoples' desks before release. The more complicated the ruling, the more this is likely as judges don't like things getting overturned. Lots of overturned on appeal looks bad, apparently. Well, it may time for judges to get their rulings to pass some elementary technical review.

That's what the appeals process is for so lawyers on both sides can argue what's right or wrong with the ruling. Amicus briefs can be filed by knowledgeable and respected organizations or individuals on both sides of the arguments as well to point out specific flaws or finer points that weren't exposed in the original trial. These briefs or amici curiae are most often used in appeals. So the EFF or the FSF could file a brief in the appeal on this case based on the legal and technical problems for society

It seems like Craigslist had to pass two hurdles to get to this result. First, they sent a cease and desist letter to 3taps which effectively withdrew authorization to use their website for scraping. Second, they put up a technological barrier (albeit a token one) to prevent 3taps from scraping. 3taps subsequently ignored the cease and desist letter willfully, as demonstrated by their use of proxies. I don't think 3taps has any legs to stand on.

"It seems like Craigslist had to pass two hurdles to get to this result. First, they sent a cease and desist letter to 3taps which effectively withdrew authorization to use their website for scraping. Second, they put up a technological barrier (albeit a token one) to prevent 3taps from scraping. 3taps subsequently ignored the cease and desist letter willfully, as demonstrated by their use of proxies. I don't think 3taps has any legs to stand on. "

Sorry, but that doesn't follow. The issue here is not whether 3taps had permission. The issue is whether accessing the site without permission should be a crime (much less a felony).

And Aaron Schwarz is indeed a good example of that already happening. The problem here seems not to be that it's not a slippery slope, but that 3taps' did not present a good argument that it was.

The "slippery slope" is actually pretty darned evident, and 3taps should simply have made their argument better. For example, all

This ruling does not imply that Aaron Schwarz was acting illegally, and it isn't a slippery slope. Terms of use had nothing to do with the decision.

The important features are the formal letter CL sent to 3taps, informing them that they didn't have permission to access CL servers with HTTP requests, and the IP block CL set up. Schwarz was never formally notified that he didn't have access permission, although he did evade some technical restrictions. If the judge's ruling stood up as the definitive int

Some states define criminal trespass as entering after having received due notice that you are not welcome. They acknowledge they were so notified.Other states define criminal trespass as entering with the intent to perform an unlawful act. Again, they entered the system with the intent to commit an unlawful act, to wit copyright infringement, unfair competition, etc.

So yeah, it's a plain and ordinary case of criminal trespass. The only thing slightly i

Not everyone on a blacklist is guilty. If one person on your work network gets blacklisted from a site, it will hit everyone on that network. Sometimes sites will even blacklist whole IP ranges because too many IPs in the range have been engaged in something malicious, but that doesn't mean that every IP in the range is doing something wrong. And as the summary points out, IPs are allocated dynamically, and not intended to be used as authentication of a real-life identity. Your IP might be blacklisted f

Agree. The CFAA is only being abused to amplify charges. An IP block is a lot different than being told "Leave and don't come back." For one, it could have been an automated process. If the blocked IP literally received a "Leave and don't come back" message instead of a dropped connection, that might be somewhat different but not enough to establish it in my mind. I'm not surprised at all that a judge has trouble understanding the differences - it's still fairly technical.

Whether you deserve to be on the blacklist or not is an internal matter for Craigslist to decide in its sole and final discretion. Craigslist is private property and they reserve the right to ban anyone they darn please, for any or no reason. It's their blacklist to maintain as they see fit.

The C&D letter proves that they were not welcome, and that they also knew it. It is irrelevant if they deserved to be banned or not. The bottom line is that they were banned and deliberate

Craigslist is private property and they reserve the right to ban anyone they darn please, for any or no reason.

Yes, but it's 'private property' in a very strange way, in that they're also a public website. It's not 'private property' like your house is private property. It's 'private property' like the newspaper classifieds section is. The newspaper press can ban you from buying their newspaper, but reading the newspaper doesn't suddenly become a felony.

The C&D letter proves that they were not welcome, and that they also knew it.

So what? If violating the C&D constitutes a crime, then that's a crime. Fine, so be it. Punish these guys for knowingly violating the C&D. That should

Yet you're telling me that, if I try to bypass a blacklist for any reason, I'm committing fraud?

If _one_ person is blacklisted (lost their legal authorisation to access the site), and a blacklist blocks a whole bunch of people from accessing the site, then all but one of them are still legally authorised. Of course the site may say "we have so much trouble coming from that IP range, we blacklist all of them". Which is a bit unfair, but perfectly legal.

Imagine one person is banned from a shopping mall. If that person puts on a false beard and enters the shopping mall, they may not be recognised, but

Imagine one person is banned from a shopping mall. If that person puts on a false beard and enters the shopping mall, they may not be recognised, but they are still trespassing. If _you_ put on a false beard, that doesn't make you a trespasser.

Right, but what this ruling seems to suggest is that changing/obscuring your IP to get bypass a blacklist is, in itself, a felony because it's considered 'hacking'.

Yet you're telling me that, if I try to bypass a blacklist for any reason, I'm committing fraud?

No, nobody's telling you that.

The judge apparently assumes that people are in general authorized to access public web sites, but that a formal letter revoking that authorization to a particular entity does remove the authorization. A C&D letter isn't a legal mandate, and you won't be prosecuted for violating one, but you could be if you do something potentially illegal. The fact that 3taps circumvented

The more vague and broad a law is the more inconvenient people we can incarcirate! We should strive to make sure the dirty peasants know that the moment they get out of line we will slam the book against them with as many vaguely defined crimes as possible!

Have you already sent legal cease-and-desist letters to everyone who unknowingly or knowingly has abused your domain by accessing it; and have they provably ignored this order by willful intent, possibly by circumventing a minor technical barrier?

Try following a link in your GMail on your tablet or mobile phone to what looks to be an interesting video, only to hit a heartwarming "The owner of this content has not authorised viewing on mobile platforms" YouTube page, for that matter.

> that one might follow a link to material on a website without being aware of its being on that website, and then be held accountable for

You think they weren't aware that their business model was scraping craigslist? They were most certainly aware of which site they were scraping. When they signed for the certified C&D letter, they were well aware that they were doing so over the objections of the owner.

To me, this is exactly like criminal trespass. The fact that they set up proxies in attempt to